Re: I am working to further shrink the size of policy in Fedora 17.

[Daniel J Walsh <dwalsh@redhat.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/12/2011 02:45 PM, Christopher J. PeBenito wrote:
> On 10/12/11 14:10, Daniel J Walsh wrote:
>> On 10/12/2011 01:37 PM, Christopher J. PeBenito wrote:
>>> On 10/12/11 10:15, Daniel J Walsh wrote:
>>>> On 10/12/2011 09:40 AM, Christopher J. PeBenito wrote:
>>>>> On 10/07/11 14:24, Daniel J Walsh wrote:
>>>>>> Right now, every domain that transitions to another
>>>>>> domain gets the following rule written.
>>>>>> 
>>>>>> dontaudit SOURCE TARGET : process { noatsecure siginh 
>>>>>> rlimitinh } ;
>>>>>> 
>>>>>> In Fedora 17 policy right now we have 2152 rules, out of
>>>>>>  Dontaudit: 9415
>>>>>> 
>>>>>> 
>>>>>> sesearch --dontaudit -p noatsecure | wc -l 2152
>>>>>> 
>>>>>> We could rewrite this with one rule.
>>>>>> 
>>>>>> dontaudit domain domain:process { noatsecure siginh
>>>>>> rlimitinh } ;
>>>>>> 
>>>>>> Of course this is more lenient then what we have now, 
>>>>>> although since it is dontaudit rules, not sure it
>>>>>> matters.
>>>>>> 
>>>>>> Comments?
>>>> 
>>>>> I'm on the fence.  On one hand, I hate to overspecify the 
>>>>> policy, but on the other hand, these perms can only be hit
>>>>> on a domain transition.  How much does this save?
>>>> 
>>>> 
>>>> 2000/90000
>>>> 
>>>> 2% of the size of policy.
>> 
>>> Based on my test of all Refpolicy modules compiled in, the
>>> size went from 4687381 to 4667101, a 20kB difference.  If
>>> someone was trying to squeeze everything out for an embedded
>>> system policy, I could see this change, but otherwise, it
>>> doesn't seem very compelling.
>> 
>> That is because you have not already shrunk your policy to the
>> degree that Fedora has.  F17 is down to this.
> [...]
>> Allow:           83205    Neverallow:          0 Auditallow:
>> 10    Dontaudit:        6079
> 
> I don't understand.  The change in Refpolicy was 1690 dontaudit
> rules.  If thats a 20kB change in Refpolicy, the 2151 rule change
> in the Fedora policy would probably be ~25kB.  What is the current
> size of the Fedora policy (policy.26 on disk)?
> 

ls -l /etc/selinux/targeted/policy/policy.26
- -rw-r--r--. 1 root root 1993514 Oct 11 11:14
/etc/selinux/targeted/policy/policy.26

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6V5SgACgkQrlYvE4MpobMPbwCgpskAh3I/i7UX2dLUCk6y6tsY
uI4An1cbF0C9rPG3M0P4dKus/Mi1zGE3
=WTYs
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.